https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/in-shell-powershell-commands-not-captured/m-p/426576#M962 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150738">@BenHooper</a>&nbsp;</P><P>&nbsp;</P><P>It would seem that the endpoint is not collecting the logs necessary to report powershell activity to the Cortex Data Lake. If this issue persists, did you confirm if this device is attached to a policy that enables Enhanced data (<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/customizable-agent-settings/add-agent-settings-profile" target="_self">See step 10 of this link.</A>)&nbsp;&nbsp;</P> Thu, 12 Aug 2021 17:08:05 GMT gjenkins 2021-08-12T17:08:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/in-shell-powershell-commands-not-captured/m-p/351079#M329 <P>As of at least 2020/07/10, I've only ever seen Cortex XDR capture PowerShell commands were included as parameters of a command-line process - never in-shell commands (opening PowerShell then manually executing the commands).</P><P>&nbsp;</P><P>Enabling PowerShell module auditing / logging locally doesn't make a difference.</P><P>&nbsp;</P><P>Is this a known problem?</P><P>&nbsp;</P><P>Examples below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020 ∕ 07 ∕ 10 15꞉05꞉16 - Rule_Builder_-_Cortex_XDR_-_Google_Chrome.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27837i9188B53F2A276CE1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020 ∕ 07 ∕ 10 15꞉05꞉16 - Rule_Builder_-_Cortex_XDR_-_Google_Chrome.png" alt="2020 ∕ 07 ∕ 10 15꞉05꞉16 - Rule_Builder_-_Cortex_XDR_-_Google_Chrome.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020 ∕ 09 ∕ 22 15꞉38꞉24 - BIOC_-_Cortex_XDR_-_Google_Chrome.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27838i266F10D133D3ABE7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020 ∕ 09 ∕ 22 15꞉38꞉24 - BIOC_-_Cortex_XDR_-_Google_Chrome.png" alt="2020 ∕ 09 ∕ 22 15꞉38꞉24 - BIOC_-_Cortex_XDR_-_Google_Chrome.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020 ∕ 09 ∕ 22 15꞉45꞉18 - Query_Results_-_Cortex_XDR_-_Google_Chrome.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27839iE791C96D7A448BD8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020 ∕ 09 ∕ 22 15꞉45꞉18 - Query_Results_-_Cortex_XDR_-_Google_Chrome.png" alt="2020 ∕ 09 ∕ 22 15꞉45꞉18 - Query_Results_-_Cortex_XDR_-_Google_Chrome.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020 ∕ 09 ∕ 22 15꞉50꞉01 - Query_Results_-_Cortex_XDR_-_Google_Chrome.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27840iD91699AC5A512AEC/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020 ∕ 09 ∕ 22 15꞉50꞉01 - Query_Results_-_Cortex_XDR_-_Google_Chrome.png" alt="2020 ∕ 09 ∕ 22 15꞉50꞉01 - Query_Results_-_Cortex_XDR_-_Google_Chrome.png" /></span></P> Tue, 22 Sep 2020 14:55:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/in-shell-powershell-commands-not-captured/m-p/351079#M329 BenHooper 2020-09-22T14:55:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/in-shell-powershell-commands-not-captured/m-p/426576#M962 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150738">@BenHooper</a>&nbsp;</P><P>&nbsp;</P><P>It would seem that the endpoint is not collecting the logs necessary to report powershell activity to the Cortex Data Lake. If this issue persists, did you confirm if this device is attached to a policy that enables Enhanced data (<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/customizable-agent-settings/add-agent-settings-profile" target="_self">See step 10 of this link.</A>)&nbsp;&nbsp;</P> Thu, 12 Aug 2021 17:08:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/in-shell-powershell-commands-not-captured/m-p/426576#M962 gjenkins 2021-08-12T17:08:05Z